# CrowdStrike Falcon Integration

Enzoic for Active Directory audit events can be pushed directly to your Crowdstrike Falcon instance. This allows you to leverage the rich search capabilities built into Falcon.

### 2.1 Falcon Configuration

1. From the hamburger menu at the top left, click *Next-Gen SIEM*, then in the flyout, click *Data onboarding*<br>

   <figure><img src="https://2701385816-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqUvu5ROhAFk2o0pyF6lF%2Fuploads%2FBbq4UPGzsH9FuplzewU6%2FPicture1.png?alt=media&#x26;token=c9f3d068-960f-49ff-8872-e17425464cce" alt=""><figcaption></figcaption></figure>
2. Click the *Data sources* tab.&#x20;
3. Click *Search by name*, and enter “http” (without quotes).<br>

   <figure><img src="https://2701385816-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqUvu5ROhAFk2o0pyF6lF%2Fuploads%2FatljwqBm4JdVbjDyuuQt%2FPicture4.png?alt=media&#x26;token=d7e45fd4-23f3-4d52-862c-67e26126e83f" alt=""><figcaption></figcaption></figure>
4. Click on the HEC / HTTP Event data source.
5. Enter the required information to setup the data source as follows
   1. For *Data source*, enter enzoic-for-ad-audit-log-data-source
   2. Select JSON as the *Data type*
   3. For *Connector name*, enter enzoic-for-ad-audit-log-connector
   4. In the *Parsers* drop down, search for and select the ***enzoic-enzoicforactivedirectory*** parser.
   5. Tick the affirmation checkbox at the bottom, above the Cancel button.
   6. Click *Save*<br>

      <figure><img src="https://2701385816-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqUvu5ROhAFk2o0pyF6lF%2Fuploads%2FEN5SbIIaolEU68u5DfSK%2FScreenshot%202025-06-02%20at%202.06.28%E2%80%AFPM.png?alt=media&#x26;token=0252a8cb-d924-425c-b938-4a36d9e93a97" alt="" width="342"><figcaption></figcaption></figure>
6. Click *Close* on the modal popup.
7. Towards the top right of the page, click the *Generate API Key* button.

   <figure><img src="https://2701385816-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqUvu5ROhAFk2o0pyF6lF%2Fuploads%2FGoo5IezwN4WGDBJDeOc5%2FPicture6.png?alt=media&#x26;token=a7268dec-efa4-4e98-adb9-af0eaaf6fa0e" alt=""><figcaption></figcaption></figure>
8. On the Connection setup modal popup, copy off the API key and API URL values to a save and secure location. You will also need these to configure Enzoic for Active Directory in the next steps.

   <figure><img src="https://2701385816-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqUvu5ROhAFk2o0pyF6lF%2Fuploads%2FmFxk70iKuktq7jrFQcje%2FPicture7.png?alt=media&#x26;token=9241b198-641d-49c6-8fde-0f38b9914625" alt=""><figcaption></figcaption></figure>
9. In the Enzoic for Active Directory console, click Settings in the left navigation panel, then click on the Crowdstrike tab page.<br>

   1. Enter the API URL and API Key generated by Falcon, tick the Enabled checkbox, then click Update Configuration.

   <figure><img src="https://2701385816-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqUvu5ROhAFk2o0pyF6lF%2Fuploads%2FGmKaFWow2YWRRqwLOtCt%2FPicture8.png?alt=media&#x26;token=b6ef494b-faf4-45f5-9bdc-ed762848fa25" alt=""><figcaption></figcaption></figure>

Enzoic for Active Directory is now setup to push all audit events to your Falcon instance.